Author: Massimiliano Brolli
Contrary to what is happening in Italy, many foreign companies are not afraid of cyber incidents and are able to spread press releases on their web pages, informing users step by step on how the company is facing an IT crisis, without any fear .
The case of APETITO
This case, which we will analyze, is very new and speaks of the APETITO company in the UK, which deals with delivering meals to organizations (hospitals, nursing homes, school canteens and the elderly) which since June 26 has released information about the cyber attack that unveiled today, exactly 20 days later with a publication made underground by Hive ransomware.
The press release issued received 5 updates from the company, which reported what it was doing to respond to the crisis the day after the cyber attack.
Today, July 13, Hive Ransomware published for the first time a notice on its data leakage page (DLS) showing that the company had been hacked and become a victim of ransomware.
Now we see the first press release issued by APETITO. This is June 26, 2022, which is 20 days before Hive ransomware published its post on its DLS.
In addition, this press release was updated on a regular basis and provided 5 updates to its customers, all signed by its CEO.
Are they all crazy?
Are they not afraid of web & brands reputation?
What did APETITO do?
As we have seen, the company warned users as soon as it became aware of the incident, 20 days before the news on its data leak page was published by Hive ransomware. Posting of cybercriminals generally happens when the organization does not want to pay the ransom.
In addition, APETITO clearly reported on its website that the company had been the victim of a cyber attack, and reported: “Apetito victim of international criminal cyber attack – statement” where you by clicking on the link are redirected to the PDF of the press releases.
Some considerations about crisis management
At this point, let us consider two completely divergent approaches:
- First approach: transparent approach (APETITO approach): Immediately after the IT incident, the company issues regular press releases informing its customers about the IT incident. Customers are then informed about what is the immanent and subsequent impact on the delivery of the service, what were the damages, what the company is doing to respond to the cyber attack. In addition, indications are given for subsequent updates regarding the development of the crisis, which will occur on a daily basis.
- Second approach: “panic-stricken” approach (classic Italian approach): There is no press release regarding the cyber incident, even after the violation has been published underground, nor after the press has published a preview of the possible cyber incident. One week after the publication of the infringement in the underground, close to the publication of the data, a press release is issued which minimizes the leakage of information and which reports on the difficult delivery of this data and which is not of a sensitive nature (even if they are).
Now we believe that both approaches are implemented by two companies selling the same product and you are a customer of one of the two.
If you were a customer of these two companies, which one would you trust the most?
Which of the two companies would you leave your personal information to?
Of course the first, or am I wrong?
Learn crisis management before it’s too late
We often forget that every private company must be accountable to its customers, while a public administration must be accountable to its citizens and voters. All this must take place before a report is submitted to its board, top management and subsequent palace wars.
The second approach we have seen means that in Italy we do not know how to do “Crisis Management” in cybersecurity incidents and we have to learn it.
But without inventing anything new and transcendental, we could learn it by observing those who can do better than us and perhaps manage to exploit the crisis itself and get back on track stronger than ever.
Do not assume that you are not the victim of a cyber incident and that no one is interested in your data.
Today, everyone wants their own cybersecurity incident. The only unknown is only when.
Therefore, we learn “crisis management”, as this “case” today is one of the pillars of the response to cyber incidents and above all in the response to ransomware and sooner or later it will happen that we will have to implement it.
And that this article is food for thought for everyone.